Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-1377

Publication date:

03/04/2023

The Solidres WordPress plugin through 0.9.4 does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2025

CVE-2022-38922

Publication date:

03/04/2023

BluePage CMS thru 3.9 processes an insufficiently sanitized HTTP Header Cookie value allowing MySQL Injection in the &#39;users-cookie-settings&#39; token using a Time-based blind SLEEP payload.

Severity CVSS v4.0: Pending analysis

Last modification:

18/02/2025

CVE-2022-38923

Publication date:

03/04/2023

BluePage CMS thru v3.9 processes an insufficiently sanitized HTTP Header allowing MySQL Injection in the &#39;User-Agent&#39; field using a Time-based blind SLEEP payload.

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2025

CVE-2023-0820

Publication date:

03/04/2023

The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role.

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2025

CVE-2023-1124

Publication date:

03/04/2023

The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2025

CVE-2023-0399

Publication date:

03/04/2023

The Image Over Image For WPBakery Page Builder WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2025

CVE-2023-28625

Publication date:

03/04/2023

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.

Severity CVSS v4.0: Pending analysis

Last modification:

10/04/2025

CVE-2023-1765

Publication date:

03/04/2023

Improper Neutralization of Special Elements used in an SQL Command (&#39;SQL Injection&#39;) vulnerability in Akbim Computer Panon allows SQL Injection.This issue affects Panon: before 1.0.2.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2023-1766

Publication date:

03/04/2023

Improper Neutralization of Input During Web Page Generation (&#39;Cross-site Scripting&#39;) vulnerability in Akbim Computer Panon allows Reflected XSS.This issue affects Panon: before 1.0.2.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-27665

Publication date:

03/04/2023

Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.

Severity CVSS v4.0: Pending analysis

Last modification:

01/02/2024

CVE-2023-26529

Publication date:

03/04/2023

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DupeOff.Com DupeOff plugin

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2023-26269

Publication date:

03/04/2023

Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.

Severity CVSS v4.0: Pending analysis

Last modification:

13/02/2025

Subscribe to Vulnerabilities